Electronic Communications Privacy Act (ECPA)
- Online Privacy Bills Introduced in Congress, EPIC Recommends Further Changes: Senators and House Members have introduced bills to update the federal communications privacy law. The proposals would require law enforcement agents to obtain a warrant before they could access e-mails or location data. EPIC has called for a comprehensive overhaul of the federal privacy law. EPIC has recommended protections for location data, data minimization requirements, and end-to-end encryption for commercial email services. (Feb. 4, 2015)
- Privacy Case Moves Forward Against Facebook and Zynga: The Ninth Circuit found that the companies may have violated Facebook's privacy policies when they disclosed user information for advertising purposes. Separately, the court ruled that there was no violation of the Electronic Communications Privacy Act because the data disclosed (including Facebook IDs and HTTP referers) is not "contents" of a communication. Congress is set to consider several ECPA reforms, and could fix the court's ruling by making clear that the law prevents the disclosure of personally identifiable information. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Facebook Privacy. (May. 9, 2014)
- Texas Bill to Require Warrants for E-mail Searches Awaits Governor's Signature: The Texas legislature has passed H.B. No. 2268, a bill that creates a warrant requirement for law enforcement access to stored electronic communications and customer data. The law, which was presented to Governor Rick Perry this week, is the first successful state effort to establish an across-the-board warrant requirement for stored communications. Congress is considering similar changes to the federal Electronic Communications Privacy Act. Others have proposed more sweeping privacy reforms, and there are bills in both the House and Senate that would establish location privacy protections. EPIC testified before the Texas Legislature on H.B. 1608, a location privacy companion to H.B. 2268. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (May. 29, 2013)
- Senator Paul Introduces Bill to Protect Fourth Amendment, Abolish "Third Party Doctrine": Senator Rand Paul (R-Ky) has introduced the Fourth Amendment Preservation and Protection Act of 2013, which would prohibit the warrantless collection of information about individuals held by third parties. The law would overturn the "third party doctrine," which has been widely criticized by courts and legal scholars. The bill has been referred to the Senate Judiciary Committee. Senator Paul will receive a 2013 EPIC Champion of Freedom Award in Washington, DC on June 3. For more information, see EPIC: Awards Dinner and EPIC: Electronic Communications Privacy Act. (May. 28, 2013)
- Senate Committee Clears Update to Email Privacy Law: The Senate Judiciary Committee has approved a bill that would update the Electronic Communications Privacy Act, a 1986 law that provides privacy protections for email and digital communications. The update, sponsored by Senator Patrick Leahy (D-VT) and co-sponsored by Senator Mike Lee (R-UT), would extend protections to communications that are stored in the cloud. Earlier this year, the Supreme Court declined to review a decision by the South Carolina Supreme Court which held that ECPA does, protect emails stored on remote computer servers. EPIC, joined by 18 national organizations filed an amicus brief, urging the Supreme Court to clarify the scope of e-mail privacy protections. In March, EPIC sent a letter to the House Judiciary Committee, recommending a comprehensive review of the law. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Jennings v. Broome. (Apr. 26, 2013)
- Supreme Court Will Not Review E-mail Privacy Case: In an order today, the U.S. Supreme Court has declined to review a decision concerning e-mail privacy. In Jennings v. Broome, the South Carolina Supreme Court held that the federal Electronic Communications Privacy Act (ECPA) does not protect emails stored on remote computer servers. As a result of this case, users in South Carolina have lesser privacy protections than those in California where a federal court reached the opposite conclusion. EPIC, joined by 18 national organization filed an amicus brief, urging the US Supreme Court to clarify the scope of e-mail privacy protections. For more information, see EPIC: Jennings v. Broome and EPIC: Electronic Communications Privacy Act. (Apr. 15, 2013)
- EPIC Highlights Need for Broad Reform of Federal Privacy Law: In response to a request from the House Judiciary Committee, EPIC has recommended a comprehensive review of the federal communications privacy law. Congress will begin hearings this week on ECPA Part 1: Lawful Access to Stored Content. EPIC's letter to the Committee noted the recent settlement by the state Attorneys General with Google in the Street View matter and the reluctance of federal officials to pursue a similar investigation. EPIC also noted growing confusion in the lower courts about the application of the federal privacy law. Finally, EPIC pointed out that the current law provides inadequate protection for private location records. For more information, see EPIC: Electronic Communications Privacy Act and EPIC: Locational Privacy. (Mar. 18, 2013)
- Senator Leahy Supports International Privacy Day: Senator Patrick Leahy, Chairman of the Senate Judiciary Committee, today issued a statement in commemoration of January 28, International Data Privacy Day. International privacy day marks the adoption of the Council of Europe Privacy Convention, the first global framework for privacy protection. Senator Leahy said, "In the Digital Age, Americans face new threats to their digital privacy and security as consumers and businesses alike collect, share and store more and more information in cyberspace. Data Privacy Day is an important reminder about the need to improve data privacy as we reap the many benefits of new technologies." EPIC has urged the United States to ratify the Privacy Convention. For more information, see EPIC: Electronic Communications Privacy Act, EPIC: International Privacy Day, and EPIC - Facebook, International Privacy Day. (Jan. 28, 2013)
- Senator Leahy Sets Out Judiciary Committee Agenda for New Congress: On January 16, 2013, Georgetown University Law School hosted Senator Patrick Leahy (D-VT), the chairman of the Senate Judiciary Committee. Leahy set out the agenda of the Judiciary Committee in the 113th Congress, vowing to commit the Committee to addressing "out most fundamental rights, and our most basic freedoms." Updates to key legislation, including laws on e-mail privacy and cybersecurity, are included in the Committee's agenda. The Chairman explained that the Committee would also address the need for oversight of US counterterrorism programs as well as privacy issues involved with the growing use of domestic surveillance drones. Furthermore, Senator Leahy emphasized the importance of open government as an American value, promising to "continue to fight for transparency that keeps the government accountable to the people." For more information, see EPIC: Electronic Communications Privacy Act, EPIC: Open Government, and EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones. (Jan. 17, 2013)
- Senate Judiciary Committee Approves Location Privacy Bill: The Location Privacy Act of 2011, sponsored by Senator Al Franken has been reported favorably by the Senate Judiciary Committee. The bill requires affirmative consent for the collection and disclosure of location information, an important protection for cell phone users and users of location-based services. EPIC previously recommended similar protections for location data and filed comments with the Federal Communications Commission advocating location privacy safeguards under the Communications Act. For more information, see EPIC: Locational Privacy and EPIC: Electronic Communications Privacy Act. (Dec. 14, 2012)
Introduction to ECPA
The Electronic Communications Privacy Act ("ECPA") was passed in 1986 to expand and revise federal wiretapping and electronic eavesdropping provisions. It was envisioned to create "a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement." Congress also sought to support the creation of new technologies by assuring consumers that their personal information would remain safe.
ECPA includes the Wiretap Act, the Stored Communications Act, and the Pen-Register Act. Wire communication refers to "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection"; in short, it refers to phone conversations. An oral communication is "any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circumstances justifying such expectation"; this constitutes any oral conversation in person where there is the expectation no third party is listening.
Individuals who violate ECPA face up to five years of jail time and a $250,000 fine. Victims are also entitled to a civil suit of actual damages, in addition to punitive damages and attorney's fees. The United States itself cannot be sued for a violation, but evidence that is gathered illegally cannot be introduced in court.
Prohibition on Interception of Communications
ECPA does include important provisions that protect a person's wire and electronic communications from being intercepted by another private individual. In general, the statute bars wiretapping and electronic eavesdropping, possession of wiretapping or electronic eavesdropping equipment, and the use or disclosure of information unlawfully obtained through wiretapping or electronic eavesdropping. The Wiretap Act prohibits any person from intentionally intercepting or attempting to intercept a wire, oral or electronic communication by using any electronic, mechanical or other device. To be clear, an electronic device must be used to perform the surveillance; mere eavesdropping with the unaided ear is not illegal under ECPA.
There are exceptions to this blanket prohibition, such as if the interception is authorized by statute for law enforcement purposes or consent of at least one of the parties is given. Although some states prohibit the recording of conversations unless all parties consent, ECPA requires only one party consent; an individual can record his own conversation without violating federal law. In the workplace, an employer would likely not violate ECPA by listening to an employee's communications if, for example, blanket consent was given as part of the employee's contract.
In addition to criminalizing the actual wiretapping or electronic eavesdropping, ECPA also prohibits an individual from disclosing such information obtained illegally if the person has reason to know that it was obtained illegally through the interception of a wire, oral, or electronic communication. Similarly, if a person cannot lawfully disclose a lawful law enforcement wiretapping and if he has reason to know that doing so will obstruct a criminal investigation.
Prohibition on Access of Communications
While the Wiretap Act addresses the interception of communications, the Stored Communications Act addresses access to stored communications at rest. In the modern context, this primarily refers to e-mails that are not in transit. The Act makes it unlawful to intentionally access a facility in which electronic communication services are provided and obtain, alter, or prevent unauthorized access to a wire or electronic communication while it is in electronic storage in such system. This statute also makes exceptions for law enforcement access and user consent.
As with other forms of communication protected under ECPA, an employer is generally forbidden from accessing an employee's private e-mails. However, if consent is given in the form of an employment contract that explicitly authorizes the employer to access e-mails, it may be lawful under ECPA for him to do so.
Pen Registers and Trap and Trace
Pen registers and trap and trace devices provide non-content information about the origin and destination of particular communications. Because this information does not contain the content of the communication, it is subject to lesser restrictions than actual content. The Supreme Court has long held that there is no reasonable expectation of privacy in this information because the telecommunications company has ready access to it; in fact, the company must utilize this information to ensure the communications are properly routed and delivered. The Pen-Register Act covers pen registers/trap and trace.
In the context of phone calls, Pen-Registers display the outgoing number and the incoming number. Because e-mail subject lines contain content, their use on e-mails, per revisions in the USA PATRIOT Act, must include the sender and addressee, but avoid any part of the subject. IP addresses and port numbers associated with the communication are also fair game under the Act.
The regulations specifically apply to "devices" that capture this information. Thus, ECPA generally prohibits the installation or use of any device that serves as a pen register or trap and trace. Amendments in the USA PATRIOT Act allow the term devices to also encompass software.
Also, unlike provisions relating to the interception and access of communications, there is no statutory exclusionary rule that applies when the government illegally uses a pen register/trap and trace device. And there is no private cause of action against the government for violations of this law.
Disclosure of Records
ECPA lays out guidelines for law enforcement access to data. Under the Stored Communications Act, the government is able to access many kinds of stored communications without a warrant.
The following table illustrates the different treatment of the contents of an email at various times:
In addition to the specific government exceptions outlined above, there is other information that the government is empowered to collect from communications providers in the form of customer records. Under § 2703, an administrative subpoena, a National Security Letter ("NSL"), can be served on a company to compel it to disclose basic subscriber information. Section 2703 also allows a court to issue an order for records; whether an NSL or court order is warranted depends upon the information that is sought.
An NSL can be used to obtain the name; address; local and long distance telephone connection records, or records of session times and durations; length of service (including start date) and types of service utilized; telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and means and source of payment for service (including any credit card or bank account number) of a subscriber. Although the breadth of information that can be gathered with an NSL is quite large, and was dramatically expanded with the USA PATRIOT Act, none of this information is supposed to include content.
All other non-content customer records have to be obtained by a court order under § 2703(d). These include transactional records such as "addresses of web sites visited by the customer and e-mail addresses of other individuals with whom the account holder has corresponded." Although an order for these materials is issued by a court, the court is not issuing a warrant based upon probable cause. Instead, § 2703(d) requires only that there be "specific and particularly facts showing that there are reasonable grounds to believe" that the records requested are "relevant and material to an ongoing criminal investigation."
As was stated, ECPA itself does not prohibit the disclosure of customer records to third parties. When the third party is the government, ECPA expressly permits the service provider to share customer records "if the provider reasonably believes than an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information." This authorization is found in § 2702 and was added as part of the USA PATRIOT Act. In practice, it allows law enforcement to forgo even the minimal burden of a subpoena or a court order and claim there is an emergency that necessitates the records being turned over. Although it is voluntary for the provider to act under this provision, many do in practice.
ECPA embodies many important and useful protections, but much has changed since ECPA was passed in 1986; from personal computing to the Internet and now the ubiquity of mobile devices, much of today's technology (and even much of yesterday's) was not conceived when the law was first drafted. ECPA has been amended several times, but has not been significantly modified since becoming law.
ECPA regulates when electronic communications can be intercepted, monitored, or reviewed by third parties, making it a crime to intercept or procure electronic communications unless otherwise provided for under law or an exception to ECPA. ECPA defines "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce." This definition focuses on the transfer of the data - the time during which the packets of data are traveling between one point and the other. This creates and "on the wire" versus "off the wire" distinction that is becoming more difficult as technology advances.
ECPA case law is confused in part due to the sharp distinctions drawn between communications in transit and those that are being stored. What was once an clear distinction - particularly with wireline telephones - is now incredibly complex. For example, the packets that make-up a single e-mail are broken apart, transit multiple servers and routers, and are then recombined and stored on remote servers. It is unclear how ECPA applies to these packets: whether the email is in transit, and therefore governed by Title I, or in "electronic storage" and governed by Title II. Title I, the Wiretap Act, and Title II, the Stored Communications Act, have vastly different standards and requirements, which creates uncertainty for users, law enforcement, and the courts.
The adoption of cloud computing, while offering many benefits (such as convenience and ease of access), makes the need for ECPA reform more urgent. Whereas an e-mail stored on a home computer would be fully protected by the 4th Amendment warrant requirement, only the Sixth Circuit has ruled that all e-mail stored on a remote, cloud computing server is protected. More and more information, including documents, e-mails, pictures, personal calendars, and locational data is being stored in the cloud. Much of this data has little or no protection under current law. Protections for locational data, in particular, have been widely discussed, but, to date, have not been added.
The 180 day distinction within ECPA is also the subject of much criticism. When ECPA was passed in 1986, web-based e-mail, such as Gmail, did not exist. Instead, e-mail primarily existed in local intranets where clients would download their messages from the server and the server would, generally, not keep a backup. Congress presumed that any e-mails left on the server for more than 180 days should be treated like abandoned property. This distinction, however, is no longer as relevant today when customers have access to nearly unlimited cloud storage.
Congress has held several hearings on reforming ECPA, with technology companies and digital rights groups lobbying for clear standards that are adaptable to technological advances. Law enforcement has questioned the need to ECPA reform, fearing that reforms could decrease their ability to acquire digital information in a timely manner.
Current ECPA Reform Proposals
- Leahy - Lee, Electronic Communications Privacy Act Amendments Act of 2013, S. 607
- Paul, Fourth Amendment Preservation and Protection Act of 2013, S. 1037
- Lofgren - Poe - DelBene, Online Communications and Geolocation Protection Act, H.R. 983
- Section-by-section Summary
- Statement of Rep. Lofgren
- Statement of Rep. Poe
- Statement of Rep. DelBene
- Wyden - Kirk / Chaffetz - Sensenbrenner - Conyers, Geolocation Privacy and Surveillance Act, H.R. 1312, S. 639
On March 19, 2013, Senators Patrick Leahy and Mike Lee introduced the "Electronic Communications Privacy Act Amendments Act of 2013," which was reported favorably to the Senate by the Committee on the Judiciary on April 25, 2013, with an amendment from Sen. Leahy. The bill makes clear that a governmental entity may require disclosure of the contents of an electronic communication "only if the governmental entity obtains a warrant ... that is issued by a court of competent jurisdiction directing the disclosure." This would eliminate the "180-day rule" and the distinction between opened and unopened e-mails for the purposes of law enforcement access. The bill would also impose stricter notice requirements to ensure that any user whose communications are subject to a warrant will be notified promptly.
- The Electronic Communications Privacy Act (ECPA), Part 2: Geolocation Privacy and Surveillance, House Judiciary Committee, Subcommittee on Crime, Terrorism, Homeland Security and Investigations, April 25, 2013.
- The Electronic Communications Privacy Act (ECPA), Part 1: Lawful Access to Stored Content, House Judiciary Committee, Subcommittee on Crime, Terrorism, Homeland Security and Investigations, March 9, 2013.
- The Electronic Communications Privacy Act: Government Perspectives on Protecting Privacy in the Digital Age, Senate Judiciary Committee, April 6, 2011.
- ECPA Reform and the Revolution in Cloud Computing, House Judiciary Committee," September 23, 2010.
- "The Electronic Communications Privacy Act: Promoting Security and Protecting Privacy in the Digital Age," Senate Judiciary Committee, September 22, 2010.
- ECPA Reform and the Revolution in Location Based Technologies and Services, House Judiciary Committee, June 24, 2010.
- Electronic Communications Privacy Act Reform, House Judiciary Committee, May 5, 2010.
- Andrew Bagley, Don't Be Evil: The Fourth Amendment in the Age of Google, National Security, and Digital Papers and Effects, 21 Albany Law Journal of Science and Technology 153 (2011).
- Nathan Henderson, The Patriot Act's Impact on the Government's Ability to Conduct Electronic Surveillance of Ongoing Domestic Communications, 52 Duke L.J. 179 (2002).
- Ilana Kattan, Cloudy Privacy Protections: Why the Stored Communications Act Fails to Protect the Privacy of Communications Stored in the Cloud, 13 Vanderbilt Journal of Entertainment and Technology Law 617 (2011).
- Haley Plourde-Cole, Back to Katz: Reasonable Expectation of Privacy in the Facebook Age, 38 Fordham Urban Law Journal 571 (2010).
- The Electronic Communications Privacy Act of 1986 (ECPA), Pub. L. 99-508, Oct. 21, 1986, 100 Stat. 1848 (1986).
- Wire and Electronic Communications Interception and Interception of Oral Communications, 18 U.S.C. Chapter 119.
- Stored Wire and Electronic Communications and Transactional Records Access, 18 U.S.C. Chapter 121.
- Pen Registers and Trap and Trace Devices, 18 U.S.C. Chapter 206.
- Katz v. United States, 389 U.S. 347 (1967).
- Smith v. Maryland, 442 U.S. 735 (1979).
- EPIC's National Security Letters Page
- EPIC's Wiretapping and Electronic Surveillance Page
- American Civil Liberties Union (ACLU) Modernizing ECPA
- Digital Due Process ECPA Reform
- Cyrus Farivar, Unprecedented E-mail Privacy Bill Sent to Texas Governor's Desk, ArsTechnica (May 28, 2103).
- Timothy B. Lee, Eric Holder Endorses Warrants for E-mail. It's About Time, Wash. Post - Wonkblog (May 16, 2013)
- Editorial, Upgrade Protections of Digital Records, Seattle Times, May 16, 2013
- Patrick McGreevy, California Senate Backs Requiring Warrants When Police Want E-mails, L.A. Times, May 13, 2013
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.